Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    141s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11/03/2025, 14:36

General

  • Target

    RFQ.exe

  • Size

    881KB

  • MD5

    768bed9843a8a7c96699b27fc40b8819

  • SHA1

    4ae495c3540252bef39276bf6e9fc84435f7b7bb

  • SHA256

    aa653ad0d107b2d7ab98d4ede0eef147b73fbd7eb2f522f0bf608f833daebe34

  • SHA512

    e23d433ac20532c512d2f2db1badbf4a2e43d2c28ff73553e2de79d82a012dbe1afe81d59bc830f4606ff3b54b08cbbcbd2b6448cdb12a3246ffb4607ac93539

  • SSDEEP

    12288:TfNeE6xIVKGJA1R1MbXgf+GH4oGSlhA8b06JJe4Ii3QOeGiTJyxwC1ht2ddT+:wE6xcA1LMbDqXm8b0iJ7r6cxvE

Malware Config

Extracted

Family

darkcloud

C2

https://api.telegram.org/bot7725030292:AAFHYtQUWDdOhIko2DIqyexjh4XvUaOA1Fs/sendMessage?chat_id=6732456666

Signatures

  • DarkCloud

    An information stealer written in Visual Basic.

  • Darkcloud family
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RFQ.exe
    "C:\Users\Admin\AppData\Local\Temp\RFQ.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2392
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\RFQ.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2820
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\wOPQRmK.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2660
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wOPQRmK" /XML "C:\Users\Admin\AppData\Local\Temp\tmp90F9.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2796
    • C:\Users\Admin\AppData\Local\Temp\RFQ.exe
      "C:\Users\Admin\AppData\Local\Temp\RFQ.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:2000

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp90F9.tmp

    Filesize

    1KB

    MD5

    43ad240df69e8512d2ae3b16362c31de

    SHA1

    65b7834313b48e40e2792bff9a9de0a50484d5d4

    SHA256

    0705752aef87c370e3fb91cabb12ce8dd04d98cbdf52b4cf3a15c2f40d5b68b6

    SHA512

    30b46fcaab2284489a2baaf51a8207843241cf21bb00e6f4de086d82476cedb41b928cbde350be1a3640fa5ab9704455f38958efb55466cc0d968236bb5cc8cf

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0ZYVTHLAT18Q2OG5UQQO.temp

    Filesize

    7KB

    MD5

    ed85a864fd9e00506b464a57a50ebd4d

    SHA1

    5e888e85e2abe9641a04cef2b540b0c0a9ed3be3

    SHA256

    c790f61bfffd6c70f5de66cd7a3b26134b01695e0dd550945f6c87fec8d9c028

    SHA512

    de426776683f9e8638df8283f986b8e8b1f2018b2c3a35d3250f072d449cb30059453053d32ed22d845c6ca0d6448cf6ec93218a8f767f0303f8bd05c16d4d09

  • memory/2000-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2000-21-0x0000000000400000-0x0000000000472000-memory.dmp

    Filesize

    456KB

  • memory/2000-19-0x0000000000400000-0x0000000000472000-memory.dmp

    Filesize

    456KB

  • memory/2000-23-0x0000000000400000-0x0000000000472000-memory.dmp

    Filesize

    456KB

  • memory/2000-29-0x0000000000400000-0x0000000000472000-memory.dmp

    Filesize

    456KB

  • memory/2000-28-0x0000000000400000-0x0000000000472000-memory.dmp

    Filesize

    456KB

  • memory/2392-6-0x0000000004A80000-0x0000000004B3C000-memory.dmp

    Filesize

    752KB

  • memory/2392-1-0x0000000000C60000-0x0000000000D42000-memory.dmp

    Filesize

    904KB

  • memory/2392-2-0x0000000074420000-0x0000000074B0E000-memory.dmp

    Filesize

    6.9MB

  • memory/2392-3-0x0000000000440000-0x0000000000450000-memory.dmp

    Filesize

    64KB

  • memory/2392-0-0x000000007442E000-0x000000007442F000-memory.dmp

    Filesize

    4KB

  • memory/2392-5-0x0000000074420000-0x0000000074B0E000-memory.dmp

    Filesize

    6.9MB

  • memory/2392-4-0x000000007442E000-0x000000007442F000-memory.dmp

    Filesize

    4KB

  • memory/2392-32-0x0000000074420000-0x0000000074B0E000-memory.dmp

    Filesize

    6.9MB